Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Configuring Stickiness
Stickiness Overview
Stickiness is an ACE feature that allows the same client to maintain multiple
simultaneous or subsequent TCP or IP connections with the same real server for
the duration of a session. A session is defined as a series of transactions between
a client and a server over some finite period of time (from several minutes to
several hours). This feature is particularly useful for e-commerce applications
where a client needs to maintain multiple connections with the same server while
shopping online, especially while building a shopping cart and during the
checkout process.
Depending on the configured SLB policy, the ACE sticks a client to an
appropriate server after the ACE has determined which load-balancing method to
use. If the ACE determines that a client is already stuck to a particular server, then
the ACE sends that client request to that server, regardless of the load-balancing
criteria specified by the matched policy. If the ACE determines that the client is
not stuck to a particular server, it applies the normal load-balancing rules to the
content request.
This section contains the following topics:
Why Use Stickiness?
Sticky Groups
Sticky Methods
Sticky Table
Backup Server Farm Behavior with Stickiness
E-commerce applications are not the only types of applications that require
stickiness. Any web application that maintains client information may require
stickiness, such as banking applications or online trading. Other uses include FTP
and HTTP file transfers.
Sticky Groups
The ACE uses the concept of sticky groups to configure stickiness. A sticky group
allows you to specify sticky attributes. After you configure a sticky group and its
attributes, you associate the sticky group with a match statement or a Layer 7
policy-map action in a Layer 7 SLB policy map. You can create a maximum of
4095 sticky groups in an ACE. Each sticky group that you configure on the ACE
contains a series of parameters that determine the following:
Sticky method
Timeout
Replication
Cookie offset and other related attributes
HTTP, RTSP, or SIP header offset and other header-related attributes
RADIUS attributes
Sticky Methods
Because an application must distinguish each user or group of users, the ACE
needs to determine how a particular user is stuck to a specific web server. The
ACE supports the following sticky methods:
Source and/or destination IP address
Layer 4 payload
Hypertext Transfer Protocol (HTTP) content
HTTP cookie
HTTP header
Remote Access Dial-In User Service (RADIUS) attributes
Real-Time Streaming Protocol (RTSP) header
Session Initiation Protocol (SIP) header
SSL Session ID
IP Address Stickiness
You can use the source IP address, the destination IP address, or both to uniquely
identify individual clients and their requests for stickiness purposes based on their
IP netmask. However, if an enterprise or a service provider uses a megaproxy to
establish client connections to the Internet, the source IP address no longer is a
reliable indicator of the true source of the request. In this case, you can use
cookies or one of the other sticky methods to ensure session persistence.
Sticky Table
To keep track of sticky connections, the ACE uses a sticky table. Table entries
include the following items:
Sticky groups
Sticky methods
Sticky connections
Real servers
The sticky table can hold a maximum of four million entries (four million
simultaneous users). When the table reaches the maximum number of entries,
additional sticky connections cause the table to wrap and the first users become
unstuck from their respective servers.
The ACE uses a configurable timeout mechanism to age out sticky table entries.
When an entry times out, it becomes eligible for reuse. High connection rates may
cause the premature aging out of sticky entries. In this case, the ACE reuses the
entries that are closest to expiration first.
Sticky entries can be either dynamic or static (user configured). When you create
a static sticky entry, the ACE places the entry in the sticky table immediately.
Static entries remain in the sticky database until you remove them from the
configuration. You can create a maximum of 4095 static sticky entries in each
context.
If the ACE takes a real server out of service for whatever reason (probe failure,
no inservice command, or ARP timeout), the ACE removes any sticky entries that
are associated with that server from the database.
If all the servers in the primary server farm go down, the ACE sends all new
requests to the backup server farm. When the primary server farm comes back up
(at least one server becomes active):
If the sticky option is enabled, then:
All new sticky connections that match existing sticky table entries for the
real servers in the backup server farm are stuck to the same real servers
in the backup server farm.
All new non-sticky connections and those sticky connections that do not
have an entry in the sticky table are load balanced to the real servers in
the primary server farm.
If the sticky option is not enabled, then the ACE load balances all new
connections to the real servers in the primary server farm.
Existing non-sticky connections to the servers in the backup server farm are
allowed to complete in the backup server farm.
Note You can fine-tune the conditions under which the primary server farm fails over
and returns to service by configuring a partial server farm failover. For details
about partial server farm failover, see the Configuring a Partial Server Farm
Failover section in Chapter 2, Configuring Real Servers and Server Farms.
If you want to configure sorry servers and you want existing connections to revert
to the primary server farm after it comes back up, do not use stickiness. For
information about configuring backup server farms and sorry servers, see
Chapter 3, Configuring Traffic Policies for Server Load Balancing.
create sticky database entries even if you have not explicitly allocated
resources for stickiness. This is possible because the ACE uses a global pool
of resources, including sticky resources. When a context needs additional
resources, it takes them from the global pool if there are resources available.
When resources are released from a context, the ACE returns them to the
global pool. If there are no resources available in the global pool when a
context needs them, the ACE places the context in starvation mode until more
resources are released.
If you explicitly allocate resources for stickiness, the ACE considers both the
minimum and the maximum values, including max set to unlimited. If the
minimum value is reached, the maximum value is set to unlimited, and there
are resources available in the global pool, the LB module can take resources
from the pool to create a new sticky database entry.
For static sticky entries, if the ACE accepts the CLI command, it inserts the
entry into the sticky database. If there are no resources immediately available,
the ACE evaluates other contexts and takes resources from one or more
contexts if possible.
For details about configuring resource groups and allocating resources, see
the Cisco Application Control Engine Module Virtualization Configuration
Guide.
You can configure the same sticky group in multiple policies or virtual
servers. In that case, the sticky behavior applies to all connections to any of
those policies or class maps. These connections are referred to as buddy
connections because, if you configure both policy or class map 1 and 2 with
the same sticky group, a client stuck to server A through policy or class map 1
will also be stuck to the same server A through policy or class map 2.
If you associate the same sticky group with multiple policies, it is very
important to make sure that all the policies use either the same server farm or
different server farms with the same servers in them.
Note You can associate a maximum of 1024 instances of the same type of regular
expression (regex) with a a Layer 4 policy map. This limit applies to all Layer 7
policy-map types, including generic, HTTP, RADIUS, RDP, RTSP, and SIP. You
configure regexes in the following:
Match statements in Layer 7 class maps
Inline match statements in Layer 7 policy maps
The rest of the examples in this table use the Admin context, unless
otherwise specified. For details on creating contexts, see the Cisco
Application Control Engine Module Administration Guide.
2. Enter configuration mode.
host1/Admin# config
host1/Admin(config)#
3. Create a sticky-IP group and enter sticky-IP configuration mode.
host1/Admin(config)# sticky ip-netmask 255.255.255.255 address
both GROUP1
host1/Admin(config-sticky-ip)#
4. Configure a timeout for IP address stickiness.
host1/Admin(config-sticky-ip)# timeout 720
5. (Optional) Enable the timeout to override active connections.
host1/Admin(config-sticky-ip)# timeout activeconns
6. Enable the replication of sticky table information to the standby context in
case of a switchover in a redundancy configuration. For details about
configuring redundancy on an ACE, see the Cisco Application Control
Engine Module Administration Guide.
host1/Admin(config-sticky-ip)# replicate sticky
7. Associate a server farm with the sticky group for sticky connections and,
optionally, tie the state of the backup server farm with the state of all the
real servers in the primary server farm and in the backup server farm.
host1/Admin(config-sticky-ip)# serverfarm SFARM1 backup
BKUP_SFARM2 sticky
Note If you configure a network mask other than 255.255.255.255 (/32), the
ACE may populate the sticky entries only on one of its four network
processors which may reduce the number of available sticky entries by
25 percent. This reduction in resources may cause problems when heavy
sticky use occurs on the ACE.
timeout minutes
For the minutes argument, enter an integer from 1 to 65535. The default is
1440 minutes (24 hours).
For example, enter:
host1/Admin(config-sticky-ip)# timeout 720
Note When the ACE times out a RADIUS load-balanced (RLB) sticky entry, it only
uses connections for the end-user traffic towards the connection count. It does not
use connections for the RADIUS traffic towards the connection count, whether or
not you configure the timeout activeconns command. The only exception is when
a connection has an outstanding RADIUS request for that sticky entry.
timeout activeconns
To restore the behavior of the ACE to the default of not timing out IP address
sticky entries if active connections exist, enter:
host1/Admin(config-sticky-ip)# no timeout activeconns
replicate sticky
Note The timer of an IP address sticky table entry on the standby ACE is reset every
time the entry is synchronized with the active ACE entry. Thus, the standby sticky
entry may have a lifetime up to twice as long as the active entry. However, if the
entry expires on the active ACE or a new real server is selected and a new entry
is created, the old entry on the standby ACE is replaced.
To restore the ACE default of not replicating IP address sticky table entries, enter:
host1/Admin(config-sticky-ip)# no replicate sticky
Note When you configure a static entry, the ACE enters it into the sticky table
immediately. You can create a maximum of 4095 static entries.
To configure static sticky-IP table entries, use the static client command in
sticky-IP configuration mode. The syntax of this command varies according to the
address option that you chose when you created the sticky group. See the
Creating an IP Address Sticky Group section.
If you configured the sticky group with the source option, the syntax of this
command is as follows:
If you configured the sticky group with the destination option, the syntax of this
command is as follows:
If you configured the sticky group with the both option, the syntax of this
command is as follows:
Note If all servers in the server farm fail and you did not configure a backup
server farm, the ACE sends a reset (RST) to a client in response to a
content request. If you do configure a backup server farm, by default,
the ACE takes into account the state of all the real servers in the
backup server farm before taking the VIP out of service. If all the real
servers in the primary server farm fail, but there is at least one real
server in the backup server farm that is operational, the ACE keeps
the VIP in service.
ip address 192.168.252.242
inservice
then stick a client to a specific server based on a string in the data (payload)
portion of the protocol packet, such as a user ID. You define the string as a regular
expression (regex) and its location in the payload as an offset and length in the
sticky configuration. For more information, see Chapter 3, Configuring Traffic
Policies for Server Load Balancing.
To avoid using a large amount of memory with regular expressions, we
recommend the following guidelines when you configure Layer 4 payload
stickiness:
Use only one generic rule per VIP.
Use the same offset for all generic rules on the same VIP.
Use the smallest possible offset that will work for your application.
Avoid deploying Layer 4 payload stickiness and Layer 4 payload matching
(see Chapter 3, Configuring Traffic Policies for Server Load Balancing)
simultaneously, when possible.
Note You can associate a maximum of 1024 instances of the same type of regex with a
a Layer 4 policy map. This limit applies to all Layer 7 policy-map types, including
generic, HTTP, RADIUS, RDP, RTSP, and SIP. You configure regexes in the
following:
Match statements in Layer 7 class maps
Inline match statements in Layer 7 policy maps
Layer 7 hash predictors for server farms
Layer 7 sticky expressions in sticky groups
Header insertion and rewrite (including SSL URL rewrite) expressions in
Layer 7 action lists
The rest of the examples in this table use the Admin context, unless
otherwise specified. For details on creating contexts, see the Cisco
Application Control Engine Module Administration Guide.
2. Enter configuration mode.
host1/Admin# config
host1/Admin(config)#
3. Create a Layer 4 payload sticky group and enter sticky Layer 4
configuration mode.
host1/Admin(config)# sticky layer4-payload L4_PAYLOAD_GROUP
host1/Admin(config-sticky-l4payloa)#
4. Configure a timeout for Layer 4 payload stickiness.
host1/Admin(config-sticky-l4payloa)# timeout 720
5. (Optional) Enable the timeout to override active connections.
host1/Admin(config-sticky-l4payloa)# timeout activeconns
The name argument is the unique identifier of the sticky group. Enter an unquoted
text string with no spaces and a maximum of 64 alphanumeric characters.
For example, enter:
host1/Admin(config)# sticky layer4-payload L4_PAYLOAD_GROUP
host1/Admin(config-sticky-l4payloa)#
timeout minutes
For the minutes argument, enter an integer from 1 to 65535. The default is
1440 minutes (24 hours).
For example, enter:
host1/Admin(config-sticky-l4payloa)# timeout 720
timeout activeconns
To restore the behavior of the ACE to the default of not timing out Layer 4
payload sticky entries if active connections exist for those entries, enter:
host1/Admin(config-sticky-l4payloa)# no timeout activeconns
replicate sticky
Note The timer of a sticky table entry on the standby ACE is reset every time the entry
is synchronized with the active ACE entry. The standby sticky entry may have a
lifetime up to twice as long as the active entry. However, if the entry expires on
the active ACE or a new real server is selected and a new entry is created, the old
entry on the standby ACE is replaced.
To restore the ACE default of not replicating sticky table entries, enter:
host1/Admin(config-sticky-l4payloa)# no replicate sticky
response sticky
For example, to enable the ACE to parse the response bytes from a server and
perform sticky learning, enter:
host1/Admin(config-sticky-l4payloa)# response sticky
To reset the behavior of the ACE to the default of not parsing server responses and
performing sticky learning, enter:
host1/Admin(config-sticky-l4payloa)# no response sticky
For a TCP connection, the ACE stops parsing only if the max-parse length
value is equal to or less than the portion of the packet remaining after the
offset value. If the max-parse length value is larger than the remaining
packet size, the ACE waits continuously to receive more data from the client.
For UDP, the ACE stops parsing when it reaches the end of the packet.
Note You cannot specify both the length and the end-pattern options in
the same layer4-payload command.
Note When matching data strings, note that the period (.) and question
mark (?) characters do not have a literal meaning in regular
expressions. Use brackets ([]) to match these symbols (for example,
enter www[.]xyz[.]com instead of www.xyz.com). You can also use a
backslash (\) to escape a dot (.) or a question mark (?).
Note You cannot specify both the length and the end-pattern options in
the same layer4-payload command.
To remove the payload offset and length from the configuration, enter:
host1/Admin(config-sticky-l4payloa)# no layer4-payload
Note When you configure a static entry, the ACE enters it into the sticky table
immediately. You can create a maximum of 4095 static entries.
To configure a static Layer 4 payload sticky entry, use the static layer4-payload
command in sticky Layer 4 payload configuration mode. The syntax of this
command is as follows:
valuePayload string value. Enter an unquoted text string with no spaces and
a maximum of 255 alphanumeric characters. Alternatively, you can enter a
text string with spaces if you enclose the string in quotation marks ().
rserver nameSpecifies the hostname of an existing real server.
number(Optional) Port number of the real server. Enter an integer from 1
to 65535.
For example, enter:
host1/Admin(config-sticky-l4payloa)# static layer4-payload STINGRAY
rserver SERVER1 4000
Note You can associate a maximum of 1024 instances of the same type of regex with a
a Layer 4 policy map. This limit applies to all Layer 7 policy-map types, including
generic, HTTP, RADIUS, RDP, RTSP, and SIP. You configure regexes in the
following:
Match statements in Layer 7 class maps
Inline match statements in Layer 7 policy maps
Layer 7 hash predictors for server farms
Layer 7 sticky expressions in sticky groups
Header insertion and rewrite (including SSL URL rewrite) expressions in
Layer 7 action lists
The rest of the examples in this table use the Admin context, unless
otherwise specified. For details on creating contexts, see the Cisco
Application Control Engine Module Administration Guide.
2. Enter configuration mode.
host1/Admin# config
host1/Admin(config)#
3. Create an HTTP content sticky group and enter sticky-content configuration
mode.
host1/Admin(config)# sticky http-content HTTP_CONTENT_GROUP
host1/Admin(config-sticky-content)#
The name argument is the unique identifier of the sticky group. Enter an unquoted
text string with no spaces and a maximum of 64 alphanumeric characters.
For example, to create a sticky group for content stickiness, enter:
host1/Admin(config)# sticky http-content HTTP_CONTENT_GROUP
host1/Admin(config-sticky-content)#
timeout minutes
For the minutes argument, enter an integer from 1 to 65535. The default is
1440 minutes (24 hours).
For example, enter:
host1/Admin(config-sticky-content)# timeout 720
timeout activeconns
To restore the ACE default to not time out HTTP content sticky entries if active
connections exist for those entries, enter:
host1/Admin(config-sticky-content)# no timeout activeconns
replicate sticky
Note The timer of a sticky table entry on the standby ACE is reset every time the entry
is synchronized with the active ACE entry. Thus, the standby sticky entry may
have a lifetime up to twice as long as the active entry. However, if the entry expires
on the active ACE or a new real server is selected and a new entry is created, the
old entry on the standby ACE is replaced.
To restore the default behavior of the ACE to not replicate sticky table entries,
enter:
host1/Admin(config-sticky-content)# no replicate sticky
Note You cannot specify both the length and the end-pattern options in
the same content command.
Note When matching data strings, note that the period (.) and the question
mark (?) characters do not have a literal meaning in regular
expressions. Use brackets ([]) to match these symbols (for example,
enter www[.]xyz[.]com instead of www.xyz.com). You can also use a
backslash (\) to escape a dot (.) or a question mark (?).
Note You cannot specify both the length and the end-pattern options in
the same content command.
Note When you configure a static entry, the ACE enters it into the sticky table
immediately. You can create a maximum of 4095 static entries.
When a client makes an HTTP request to a server, the server typically sends a
cookie in the Set-Cookie message in the response to the client. In most cases, the
client returns the same cookie value in a subsequent HTTP request. The ACE
sticks the client to the same server based on that matching value. This scenario is
typical on the web with traditional web clients.
However, in some environments, clients may be unable to support cookies in their
browser, which makes this type of cookie sticky connection impossible. To
circumvent this problem, the ACE can extract the cookie name and value
embedded in the URL string. This feature works only if the server embeds the
cookie into the URL link on the web page.
Depending on client and server behavior and the sequence of frames, the same
cookie value may appear in the standard HTTP cookie that is present in the HTTP
header, Set-Cookie message, or cookie embedded in a URL. The actual name of
the cookie may differ depending on whether the cookie is embedded in a URL or
appears in an HTTP header. The use of a different name for the cookie and the
URL occurs because these two parameters are configurable on the server and are
often set differently. For example, the Set-Cookie name may be as follows:
Set-Cookie: session_cookie = 123
If the client request does not contain a cookie, the ACE looks for the session-ID
string (?session-id=) configured on the ACE. The value associated with this string
is the session-ID number that the ACE looks for in the cache. The ACE matches
the session ID with the server where the requested information resides and the
ACE sends the client request to that server.
The name argument in the sticky command is the cookie name that appears in the
HTTP header. The name argument in the cookie secondary command specifies
the cookie name that appears in the URL.
By default, the maximum number of bytes that the ACE parses to check for a
cookie, HTTP header, or URL is 4096. If a cookie, HTTP header, or URL exceeds
the default value, the ACE drops the packet and sends a RST (reset) to the client
browser. You can increase the number of bytes that the ACE parses using the set
header-maxparse-length command in HTTP parameter-map configuration
mode. For details about setting the maximum parse length, see Chapter 3,
Configuring Traffic Policies for Server Load Balancing.
You can also change the default behavior of the ACE when a cookie, header, or
URL exceeds the maximum parse length using the length-exceed command in
HTTP parameter-map configuration mode. For details, see Chapter 3,
Configuring Traffic Policies for Server Load Balancing.
Note You can associate a maximum of 1024 instances of the same type of regular
expression (regex) with a a Layer 4 policy map. This limit applies to all Layer 7
policy-map types, including generic, HTTP, RADIUS, RDP, RTSP, and SIP. You
configure regexes in the following:
Match statements in Layer 7 class maps
Inline match statements in Layer 7 policy maps
Layer 7 hash predictors for server farms
Layer 7 sticky expressions in sticky groups
Header insertion and rewrite (including SSL URL rewrite) expressions in
Layer 7 action lists
The rest of the examples in this table use the Admin context, unless
otherwise specified. For details on creating contexts, see the Cisco
Application Control Engine Module Administration Guide.
2. Enter configuration mode.
host1/Admin# config
host1/Admin(config)#
3. Create an HTTP cookie sticky group and enter sticky-cookie configuration
mode.
host1/Admin(config)# sticky http-cookie cisco.com GROUP2
host1/Admin(config-sticky-cookie)#
4. Configure a timeout for HTTP cookie stickiness.
host1/Admin(config-sticky-cookie)# timeout 720
5. (Optional) Enable the timeout to override active connections.
host1/Admin(config-sticky-cookie)# timeout activeconns
6. Enable the replication of sticky table information to the standby context in
case of a switchover in a redundancy configuration. For details about
configuring redundancy on an ACE, see the Cisco Application Control
Engine Module Administration Guide.
host1/Admin(config-sticky-cookie)# replicate sticky
timeout minutes
For the minutes argument, enter an integer from 1 to 65535. The default is
1440 minutes (24 hours).
Note When you configure sticky timeout for an HTTP cookie, the timeout translates
into the expiration date for the cookie. This expiration date can be longer than the
actual timeout specified in the timeout command, with sometimes as much as 20
to 25 minutes added to the expiration date.
timeout activeconns
To restore the ACE default of not timing out HTTP cookie sticky entries if active
connections exist for those entries, enter:
host1/Admin(config-sticky-cookie)# no timeout activeconns
replicate sticky
Note The timer of a sticky table entry on the standby ACE is reset every time the entry
is synchronized with the active ACE entry. Thus, the standby sticky entry may
have a lifetime up to twice as long as the active entry. However, if the entry expires
on the active ACE or a new real server is selected and a new entry is created, the
old entry on the standby ACE is replaced.
To restore the ACE default of not replicating sticky table entries, enter:
host1/Admin(config-sticky-cookie)# no replicate sticky
server to the client. The ACE selects a cookie value that identifies the original
server from which the client received a response. For subsequent connections of
the same transaction, the client uses the cookie to stick to the same server.
Note With either TCP server reuse or persistence rebalance enabled, the ACE inserts a
cookie in every client request. For information about TCP server reuse, see the
Configuring TCP Server Reuse section in Chapter 3, Configuring Traffic
Policies for Server Load Balancing. For information about persistence rebalance,
see Configuring HTTP Persistence Rebalance in Chapter 3, Configuring Traffic
Policies for Server Load Balancing.
To configure the cookie offset and length, use the cookie offset command in
sticky-cookie configuration mode. The syntax of this command is as follows:
To remove the cookie offset and length from the configuration, enter:
host1/Admin(config-sticky-cookie)# no cookie offset
Enter a cookie name as an unquoted text string with no spaces and a maximum of
64 alphanumeric characters.
For example, enter:
host1/Admin(config-sticky-cookie)# cookie secondary mysite.com
Note When you configure a static entry, the ACE enters it into the sticky table
immediately. You can create a maximum of 4095 static entries.
Note Port number can only be configured if the real server is configured under
a server farm with a port number. If no port is configured for the server
farm, then no port can be configured for the static cookie.
You can also change the default behavior of the ACE when a cookie, header, or
URL exceeds the maximum parse length using the length-exceed command in
HTTP parameter-map configuration mode. For details, see Chapter 3,
Configuring Traffic Policies for Server Load Balancing.
Note You can associate a maximum of 1024 instances of the same type of regex with a
a Layer 4 policy map. This limit applies to all Layer 7 policy-map types, including
generic, HTTP, RADIUS, RDP, RTSP, and SIP. You configure regexes in the
following:
Match statements in Layer 7 class maps
Inline match statements in Layer 7 policy maps
Layer 7 hash predictors for server farms
Layer 7 sticky expressions in sticky groups
Header insertion and rewrite (including SSL URL rewrite) expressions in
Layer 7 action lists
The rest of the examples in this table use the Admin context, unless
otherwise specified. For details on creating contexts, see the Cisco
Application Control Engine Module Administration Guide.
2. Enter configuration mode.
host1/Admin# config
host1/Admin(config)#
3. Create an HTTP header sticky group and enter sticky-header configuration
mode.
host1/Admin(config)# sticky http-header Host HTTP_GROUP
host1/Admin(config-sticky-header)#
4. Configure a timeout for header stickiness.
host1/Admin(config-sticky-header)# timeout 720
5. (Optional) Enable the timeout to override active connections.
host1/Admin(config-sticky-header)# timeout activeconns
6. Enable the replication of header sticky table information to the standby
context in case of a switchover. Use this command with redundancy. For
details about configuring redundancy on an ACE, see the Cisco Application
Control Engine Module Administration Guide.
host1/Admin(config-sticky-header)# replicate sticky
timeout minutes
For the minutes argument, enter an integer from 1 to 65535. The default is
1440 minutes (24 hours).
For example, enter:
host1/Admin(config-sticky-header)# timeout 720
timeout activeconns
To restore the ACE default of not timing out header sticky entries if active
connections exist for those entries, enter:
host1/Admin(config-sticky-header)# no timeout activeconns
replicate sticky
Note The timer of a sticky table entry on the standby ACE is reset every time the entry
is synchronized with the active ACE entry. Thus, the standby sticky entry may
have a lifetime up to twice as long as the active entry. However, if the entry expires
on the active ACE or a new real server is selected and a new entry is created, the
old entry on the standby ACE is replaced.
To restore the ACE default of not replicating HTTP header sticky table entries,
enter:
host1/Admin(config-sticky-header)# no replicate sticky
offset number1Specifies the portion of the header that the ACE uses to
stick the client to a particular server by indicating the bytes to ignore starting
with the first byte of the header. Enter an integer from 0 to 999. The default
is 0, which indicates that the ACE does not exclude any portion of the header.
length number2Specifies the length of the portion of the header (starting
with the byte after the offset value) that the ACE uses for sticking the client
to the server. Enter an integer from 1 to 1000. The default is 1000.
For example, enter:
host1/Admin(config-sticky-header)# header offset 500 length 1000
To remove the header offset and length values from the configuration, enter:
host1/Admin(config-sticky-header)# no header offset
Note When you configure a static entry, the ACE enters it into the sticky table
immediately. You can create a maximum of 4095 static entries.
To remove the static header entry from the sticky table, enter:
host1/Admin(config-sticky-header)# no static header-value 12345678
rserver SERVER1 3000
ip address 192.168.252.247
inservice
rserver host SERVER9
ip address 192.168.252.248
inservice
sticky-serverfarm HEADER-GROUP2
class class-default
serverfarm DEFAULT
policy-map multi-match L4SH-Gold-VIPs_POLICY
class L4STICKY-HEADER_129:80_CLASS
loadbalance vip inservice
loadbalance policy L7PLBSF_STICKY-HEADER_POLICY
loadbalance vip icmp-reply active
nat dynamic 1 VLAN 120
appl-parameter http advanced-options PERSIST-REBALANCE
Note You can associate a maximum of 1024 instances of the same type of regex with a
a Layer 4 policy map. This limit applies to all Layer 7 policy-map types, including
generic, HTTP, RADIUS, RDP, RTSP, and SIP. You configure regexes in the
following:
Match statements in Layer 7 class maps
Inline match statements in Layer 7 policy maps
Layer 7 hash predictors for server farms
Layer 7 sticky expressions in sticky groups
Header insertion and rewrite (including SSL URL rewrite) expressions in
Layer 7 action lists
The rest of the examples in this table use the Admin context, unless
otherwise specified. For details on creating contexts, see the Cisco
Application Control Engine Module Administration Guide.
2. Enter configuration mode.
host1/Admin# config
host1/Admin(config)#
timeout minutes
For the minutes argument, enter an integer from 1 to 65535. The default is
1440 minutes (24 hours).
For example, enter:
host1/Admin(config-sticky-radius)# timeout 720
timeout activeconns
To restore the ACE default of not timing out RADIUS-attribute sticky entries if
active connections exist for those entries, enter:
host1/Admin(config-sticky-radius)# no timeout activeconns
replicate sticky
Note The timer of a sticky table entry on the standby ACE is reset every time the entry
is synchronized with the active ACE entry. Thus, the standby sticky entry may
have a lifetime up to twice as long as the active entry. However, if the entry expires
on the active ACE or a new real server is selected and a new entry is created, the
old entry on the standby ACE is replaced.
Note You can associate a maximum of 1024 instances of the same type of regex with a
a Layer 4 policy map. This limit applies to all Layer 7 policy-map types, including
generic, HTTP, RADIUS, RDP, RTSP, and SIP. You configure regexes in the
following:
The rest of the examples in this table use the Admin context for illustration
purposes, unless otherwise specified. For details on creating contexts, see
the Cisco Application Control Engine Module Administration Guide.
2. Enter configuration mode.
host1/Admin# config
host1/Admin(config)#
3. Create an RTSP header sticky group and enter sticky-header configuration
mode.
host1/Admin(config)# sticky rtsp-header Session RTSP_GROUP
host1/Admin(config-sticky-header)#
4. Configure a timeout for RTSP header stickiness.
host1/Admin(config-sticky-header)# timeout 720
5. (Optional) Enable the timeout to override active connections.
host1/Admin(config-sticky-header)# timeout activeconns
6. Enable the replication of RTSP header sticky table information to the
standby context in case of a switchover. Use this command with
redundancy. For details about configuring redundancy on an ACE, see the
Cisco Application Control Engine Module Administration Guide.
host1/Admin(config-sticky-header)# replicate sticky
7. Associate a server farm with the RTSP header sticky group for sticky
connections and, optionally, tie the state of the backup server farm with the
state of all the real servers in the primary server farm and in the backup
server farm.
host1/Admin(config-sticky-header)# serverfarm SFARM1 backup
BKUP_SFARM2 sticky
timeout minutes
For the minutes argument, enter an integer from 1 to 65535. The default is
1440 minutes (24 hours).
For example, enter:
host1/Admin(config-sticky-header)# timeout 720
timeout activeconns
To restore the ACE default of not timing out header sticky entries if active
connections exist for those entries, enter:
host1/Admin(config-sticky-header)# no timeout activeconns
replicate sticky
Note The timer of a sticky table entry on the standby ACE is reset every time the entry
is synchronized with the active ACE entry. Thus, the standby sticky entry may
have a lifetime up to twice as long as the active entry. However, if the entry expires
on the active ACE or a new real server is selected and a new entry is created, the
old entry on the standby ACE is replaced.
To restore the ACE default of not replicating RTSP header sticky table entries,
enter:
host1/Admin(config-sticky-header)# no replicate sticky
To remove the header offset and length values from the configuration, enter:
host1/Admin(config-sticky-header)# no header offset
Note When you configure a static entry, the ACE enters it into the sticky table
immediately. You can create a maximum of 4095 static entries.
To remove the static RTSP header entry from the sticky table, enter:
host1/Admin(config-sticky-header)# no static header-value 12345678
rserver SERVER1 3000
Note You can associate a maximum of 1024 instances of the same type of regex with a
a Layer 4 policy map. This limit applies to all Layer 7 policy-map types, including
generic, HTTP, RADIUS, RDP, RTSP, and SIP. You configure regexes in the
following:
Match statements in Layer 7 class maps
The rest of the examples in this table use the Admin context, unless
otherwise specified. For details on creating contexts, see the Cisco
Application Control Engine Module Administration Guide.
2. Enter configuration mode.
host1/Admin# config
host1/Admin(config)#
3. Create a SIP-header sticky group and enter sticky-header configuration
mode.
host1/Admin(config)# sticky sip-header Call-ID SIP_GROUP
host1/Admin(config-sticky-header)#
4. Configure a timeout for SIP header stickiness.
host1/Admin(config-sticky-header)# timeout 720
5. (Optional) Enable the timeout to override active connections.
host1/Admin(config-sticky-header)# timeout activeconns
6. Enable the replication of header sticky table information to the standby
context in case of a switchover. Use this command with redundancy. For
details about configuring redundancy on an ACE, see the Cisco Application
Control Engine Module Administration Guide.
host1/Admin(config-sticky-header)# replicate sticky
7. Associate a server farm with the sticky group for sticky connections and,
optionally, tie the state of the backup server farm with the state of all the
real servers in the primary server farm and in the backup server farm.
host1/Admin(config-sticky-header)# serverfarm SFARM1 backup
BKUP_SFARM2 sticky
timeout minutes
For the minutes argument, enter an integer from 1 to 65535. The default is
1440 minutes (24 hours).
For example, enter:
host1/Admin(config-sticky-header)# timeout 720
timeout activeconns
To restore the ACE default of not timing out SIP header sticky entries if active
connections exist for those entries, enter:
host1/Admin(config-sticky-header)# no timeout activeconns
replicate sticky
Note The timer of a sticky table entry on the standby ACE is reset every time the entry
is synchronized with the active ACE entry. Thus, the standby sticky entry may
have a lifetime up to twice as long as the active entry. However, if the entry expires
on the active ACE or a new real server is selected and a new entry is created, the
old entry on the standby ACE is replaced.
To restore the ACE default of not replicating SIP header sticky table entries, enter:
host1/Admin(config-sticky-header)# no replicate sticky
Note When you configure a static entry, the ACE enters it into the sticky table
immediately. You can create a maximum of 4095 static entries.
To remove the static header entry from the sticky table, enter:
host1/Admin(config-sticky-header)# no static header-value 12345678
rserver SERVER1 3000
Note You can associate a maximum of 1024 instances of the same type of regular
expression (regex) with a a Layer 4 policy map. This limit applies to all Layer 7
policy-map types, including generic, HTTP, RADIUS, RDP, RTSP, and SIP. You
configure regexes in the following:
Match statements in Layer 7 class maps
Inline match statements in Layer 7 policy maps
Layer 7 hash predictors for server farms
Layer 7 sticky expressions in sticky groups
Header insertion and rewrite (including SSL URL rewrite) expressions in
Layer 7 action lists
The rest of the examples in this table use the Admin context, unless
otherwise specified. For details on creating contexts, see the Cisco
Application Control Engine Module Administration Guide.
2. Enter configuration mode.
host1/Admin# config
host1/Admin(config)#
3. Configure real servers for the SSL servers and associate them with an SSL
server farm. See Chapter 2, Configuring Real Servers and Server Farms.
4. Create a Layer 4 payload sticky group for 32-byte (the default length) SSL
IDs and enter sticky Layer 4 payload configuration mode.
host1/Admin(config)# sticky layer4-payload SSL_GROUP
host1/Admin(config-sticky-l4payloa)#
5. Configure a timeout for SSL Session-ID stickiness.
host1/Admin(config-sticky-l4payloa)# timeout 600
6. Associate a server farm with the sticky group for sticky connections and,
optionally, tie the state of the backup server farm with the state of all the
real servers in the primary server farm and all the real servers in the backup
server farm.
host1/Admin(config-sticky-l4payloa)# serverfarm SSL_SFARM1
The name argument is the unique identifier of the sticky group. Enter an unquoted
text string with no spaces and a maximum of 64 alphanumeric characters.
For example, to configure an SSL ID sticky group, enter:
host1/Admin(config)# sticky layer4-payload SSL_GROUP
host1/Admin(config-sticky-l4payloa)#
timeout minutes
For the minutes argument, enter an integer from 1 to 65535. The default is
1440 minutes (24 hours).
For example, enter:
host1/Admin(config-sticky-l4payloa)# timeout 600
serverfarm name1
The name1 argument specifies the identifier of an existing server farm that you
want to associate with the sticky group. You can associate one server farm with
each sticky group.
For example, to associate a server farm with a sticky group, enter:
host1/Admin(config-sticky-l4payloa)# serverfarm SSL_SFARM1
response sticky
For example, to enable the ACE to parse the response bytes from an SSL server
and learn the SSL Session ID, enter:
host1/Admin(config-sticky-l4payloa)# response sticky
To reset the behavior of the ACE to the default of not parsing SSL server
responses and performing sticky learning, enter the following command:
Configuring the Offset, Length, and Beginning Pattern for the SSL
Session ID
For SSLv3/TLS1, the SSL Session ID always appears at the same location in the
TCP packet payload. You can configure the ACE to use the constant portion of the
payload to make persistent connections to a specific SSL server. To define the
portion of the payload that you want the ACE to use, you specify payload offset
and length values. The ACE stores these values in the sticky table.
You can also specify a beginning pattern based on a regex that the ACE uses to
stick a client to a particular SSL server. For information about regular
expressions, see Table 3-3 in Chapter 3, Configuring Traffic Policies for Server
Load Balancing.
Note The inclusion of the \xST (STop) metacharacter aids the ACE in properly
load-balancing SSL session-ID packets. Without the \xST metacharacter in
regexes, certain SSL session-ID packets may get stuck in the ACE HTTP engine
and eventually time out the connection. For information on the use of the \xST
metacharacter for regular expressions, see the Using the \xST Metacharacter
in Regular Expressions for Layer 4 Generic Data Parsing section.
To configure the payload offset, length, and beginning pattern, use the
layer4-payload command in sticky Layer 4 payload configuration mode. The
syntax of this command is as follows:
To remove the payload offset, length, and beginning pattern from the
configuration, enter:
host1/Admin(config-sticky-l4payloa)# no layer4-payload
rserver SSL_SERVER1
ip address 192.168.12.2
inservice
rserver SSL_SERVER2
ip address 192.168.12.3
inservice
serverfarm SSL_SFARM1
rserver SSL_SERVER1
inservice
rserver SSL_SERVER2
inservice
context Admin
member RC1
Note For SSL Session-ID stickiness for different lengths of Session IDs, you can
configure as many class maps as necessary.
Note The ACE sticky table, which holds a maximum of 4 million entries, is shared
across all sticky types, including reverse IP stickiness.
Symmetric Topology
A typical firewall load-balancing topology (symmetric) includes two dedicated
ACEs with the firewalls positioned between the ACEs. In this scenario, the ACEs
are used exclusively for FWLB and simply forward traffic through their host
interfaces in either direction. See Figure 1.
The hosts in either VLAN 31 or VLAN 21 can initiate the first connection and the
hosts on both sides of the connection can see each other directly. Therefore,
only catch-all VIPs (with an IP address of 0.0.0.0 and a netmask of 0.0.0.0) are
configured on the ACE interfaces.
242724
10.10.40.0 10.10.50.0 192.168.1.0
For the network diagram shown in Figure 1, the following steps describe a
possible connection scenario with reverse IP stickiness:
Step 1 Host A (a client) initiates an FTP control channel connection to the IP address of
Host C (an FTP server).
Step 2 ACE 1 load balances the connection to one of the two firewalls (FW1 or FW2) in
the FWS-OUT server farm. ACE 1 is configured with a source IP sticky group that
is associated with a policy map, which is applied to interface VLAN 113. This
configuration ensures that all connections coming from the same host (or directed
to the same host) are load balanced to the same firewall. The ACE creates a sticky
entry that maps the IP address of Host A to one of the firewalls.
Step 3 The firewall that receives the packets from ACE 1 forwards them to ACE 2.
Step 4 Assume that a sticky group that is based on the destination IP address is associated
with a policy map and is applied to interface VLAN 21. The same sticky group is
associated as a reverse sticky group with the policy that is applied to VLAN 111.
When it receives the packets, ACE 2 creates a sticky entry in the sticky database
based on the source IP address (because the sticky group is based on the
destination IP address in this case), which maps the Host A IP address to the
firewall in the FWS-IN server farm from which the traffic was received. Then,
ACE 2 forwards the packets to the FTP server (Host C) in the server farm.
Step 5 If you have enabled the mac-sticky command on the VLAN 111 interface, ACE 2
forwards return traffic from the same connection to the same firewall from which
the incoming traffic was received. The firewall routes the return traffic through
ACE 1, which in turn forwards it to the MSFC and from there to the client.
Step 6 Now suppose that Host C (an FTP server) opens a new connection (for example,
the corresponding FTP data channel of the previously opened FTP control
channel) to the IP address of Host A. Because a sticky group based on destination
IP is associated with the policy applied to interface VLAN 21, ACE 2 performs a
sticky lookup and finds a valid sticky entry (the one created in Step 4) in the sticky
database that allows ACE 2 to load balance the packets to the same firewall that
the control connection traversed.
Step 7 The firewall routes the packets through ACE 1, which in turn forwards them to the
MSFC and from there to the client (Host A).
The example that is described in the steps above is symmetric because it does
not matter on which side of the connections that the clients and servers reside.
Everything would work in a similar manner if Host C was a client opening the
FTP control channel and Host A was a server opening the FTP data channel,
assuming that a reverse sticky group was also configured on the ACE 1
VLAN 112 interface. To make reverse IP stickiness work symmetrically, you
must apply a reverse sticky group to the ACE interfaces that are associated
with the firewall server farm (in this example, VLAN 112 and VLAN 111)
and apply the same sticky group as a regular sticky group to the ACE
interfaces associated with the hosts (in this example, VLAN 113 and VLAN
21).
In this example, the assumption is to have a regular sticky group based on the
source IP associated with the VLAN 113 interface of the ACE 1 and another
sticky group based on the destination IP associated with the VLAN 21
interface of the ACE 2 (the reverse sticky groups on VLAN 112 and VLAN
111 would be based on the opposite IPs). Everything would work correctly if
the regular sticky groups were reversed, that is, the sticky group on VLAN
113 was based on the destination IP and the one on VLAN 21 was based on
the source IP, or if both regular sticky groups were based on both the source
and the destination IP.
Asymmetric Topology
Server farm
Gateway 10.10.40.1 RS1
10.10.40.x 10.10.50.x RS2
RS3
Bridge-Group Virtual Interface 10.10.40.2 RS4
Gateway 10.10.40.1
FSW-OUT FSW-IN
IP: 10.10.40.1
VLAN 21
VLAN 31 VLAN 113 VLAN 112 FW1 VLAN 111
242725
10.10.40.0 10.10.50.0 192.168.1.0
For the network diagram shown in Figure 2, the following steps describe the
sequence of events for establishing a connection with reverse IP stickiness:
Step 1 A client initiates a connection (for example, an FTP control channel connection)
to the IP address of one of the servers in the server farm.
Step 2 The Unknown LB load balances the connection to one of the two firewalls in the
FWS-OUT server farm. The Unknown LB should, at a minimum, support load
balancing based on the source or destination IP address hash predictor. These
predictors ensure that all connections coming from the same client (or destined to
the same server) are load balanced to the same firewall. Assume in this example
that a predictor based on source IP hash is configured in the Unknown LB, so that
all traffic coming from the same client will be directed to the same firewall.
Step 3 The firewall that receives the packet forwards it to the ACE.
Step 4 Assume that a sticky group that is based on the destination IP address is associated
with a policy map that is applied to interface VLAN 21 using a service policy. The
same sticky group is associated as a reverse sticky group with the policy that is
applied to VLAN 111. When it receives the packets, the ACE creates a sticky
entry in the sticky database based on the source IP address (because the sticky
group is based on the destination IP in this case), which maps the Host A IP
address to the firewall in the FWS-IN server farm from which the traffic was
received. Then, the ACE forwards the packets to the FTP server (Host C) in the
server farm.
Step 5 If you have enabled the mac-sticky command on VLAN 111, the ACE forwards
the return traffic for the same connection to the same firewall from which the
incoming traffic was received. The firewall routes the return traffic through the
Unknown-LB, which in turn forwards it to the MSFC and then to the client.
Step 6 Now suppose that the FTP server opens a new connection (for example, the
corresponding FTP data channel of the previously opened FTP control channel)
to the IP address of the client. Because a sticky group based on the destination IP
address is associated with the policy applied to interface VLAN 21, the ACE
performs a sticky lookup and finds a valid sticky entry (the one created in Step 4)
in the sticky database that allows the ACE to load balance the packets to the same
firewall that the control connection traversed.
Step 7 The firewall routes the packet through the Unknown LB, which in turn forwards
it to the MSFC and then to the client.
In this scenario, reverse sticky would also work properly under the following
conditions:
The sticky group is associated with the policy map as a regular sticky group
based on source the IP and applied to the VLAN 21 interface.
The sticky group is associated with the policy map as a reverse sticky group
(based on the destination IP address) and applied to the VLAN 111 interface.
The Unknown LB has a predictor based on the hash of the destination IP.
For more information about configuring firewall load balancing, see the Cisco
Application Control Engine Module Server Load-Balancing Configuration Guide.
Once you have associated reverse IP stickiness with a sticky group, you
cannot change that sticky group to a static sticky group.
You cannot configure regular stickiness and reverse stickiness under the same
Layer 7 policy map. If you need both types of stickiness, configure them in
separate Layer 7 policy maps and apply them to different interfaces using
different service policies.
For firewall load balancing, configure the mac-sticky command on the ACE
interface that is connected to the firewall.
reverse-sticky name
The name argument specifies the unique identifier of an existing IP address sticky
group. Enter the name of an existing IP address sticky group as an unquoted text
string with no spaces and a maximum of 64 alphanumeric characters.
For example, to configure reverse IP stickiness for a sticky group called
DEST_IP_STICKY, enter the following sequence of commands:
host1/Admin(config)# sticky ip-netmask 255.255.255.255 address
destination DEST_IP_STICKY
host1/Admin(config-sticky-ip)# serverfarm FWS-IN
show stats stickyProvides the Total active reverse sticky entries field that
displays the total number of active reverse IP sticky entries in the sticky
database.
show service-policy route detailProvides the reverse sticky group field
that displays the name of the sticky group configured for reverse IP
stickiness.
ACE 1 Configuration
access-list acl1 line 8 extended permit ip any any
policy-map multi-match LB
class CATCH-ALL-VIP
loadbalance vip inservice
loadbalance policy LB_PMAP_TO_REALS
policy-map multi-match ROUTE
class CATCH-ALL-VIP
loadbalance vip inservice
loadbalance policy ROUTE_PMAP
interface bvi 15
ip address 10.10.40.2 255.255.255.0
alias 10.10.40.3 255.255.255.0
no shutdown
ACE 2 Configuration
access-list acl1 line 8 extended permit ip any any
inservice
rserver host FW2
ip address 10.10.50.20
inservice
interface vlan 21
ip address 21.1.1.1 255.255.255.0
access-group input acl1
service-policy input L4_TO_FWS
no shutdown
interface vlan 111
description inside FW vlan
ip address 10.10.50.1 255.255.255.0
mac-sticky enable
access-group input acl1
service-policy input L4_TO_REALS
no shutdown
Step 1 Configure a Layer 7 class map and Layer 7 policy map, and then associate the
class map with the policy map.
host1/Admin(config)# class-map type http loadbalance match-any
L7SLBCLASS
host1/Admin(config-cmap-http-lb)# match http 1 -value field=stream
host1/Admin(config-cmap-http-lb)# exit
host1/Admin(config)# policy-map type loadbalance first-match
L7SLBPOLICY
host1/Admin(config-pmap-lb)# class L7SLBCLASS
host1/Admin(config-pmap-lb-c)#
Step 2 Associate the sticky group as an action in the Layer 7 policy map.
host1/Admin(config-pmap-lb-c)# sticky-serverfarm STICKY_GROUP1
Step 3 Configure a Layer 7 HTTP parameter map. Configure parameters as necessary for
your application. For details about configuring an HTTP parameter map, see the
Configuring an HTTP Parameter Map section.
host1/Admin(config)# parameter-map type http HTTP_PARAM_MAP
host1/Admin(config-parammap-http)# set header-maxparse-length 8192
host1/Admin(config-parammap-http)# length-exceed continue
host1/Admin(config-parammap-http)# persistence-rebalance
host1/Admin(config-parammap-http)# exit
Step 4 Configure a Layer 3 and Layer 4 class map and policy map, and then associate the
class map with the policy map.
host1/Admin(config)# class-map L4VIPCLASS
host1/Admin(config-cmap)# match virtual-address 192.168.1.10 tcp eq 80
host1/Admin(config-cmap) exit
host1/Admin(config)# policy-map multi-match L4POLICY
Step 5 Associate the Layer 7 policy map with the Layer 3 and Layer 4 policy map.
host1/Admin(config-pmap-c)# loadbalance policy L7SLBPOLICY
host1/Admin(config-pmap-c)# loadbalance vip inservice
Step 6 Associate the HTTP parameter map with the Layer 3 and Layer 4 policy map.
host1/Admin(config-pmap-c)# appl-parameter http advanced-options
HTTP_PARAM_MAP
host1/Admin(config-pmap-c)# exit
Step 7 Apply the Layer 3 and Layer 4 policy map to an interface using a service policy
or globally to all interfaces in the current context.
host1/Admin(config)# interface vlan 100
host1/Admin(config-if)# service-policy input L4POLICY
or
host1/Admin(config)# service-policy input L4POLICY
For details about configuring an SLB traffic policy, see Chapter 3, Configuring
Traffic Policies for Server Load Balancing.
The output of this command displays configured sticky groups and their
attributes.
For the group sticky_group_name argument, enter the name of the configured
sticky group.
For example, to display the inserted cookie information for the sticky group called
GROUP1, enter:
host1/Admin# show sticky cookie-insert group GROUP1
Table 5-11 describes the fields in the show sticky cookie-insert command
output.
Table 5-11 Field Descriptions for the show sticky cookie-insert Command
Output
Field Description
Cookie Cookie-insert hash string for each real server in the
associated server farm.
Table 5-11 Field Descriptions for the show sticky cookie-insert Command
Output (continued)
Field Description
HashKey 64-bit hash value associated with the cookie.
rserver-instance String containing the server-farm name, real-server name,
and real-server port in the following format:
server_farm_name/real_server_name:rserver_port
Note If you enable cookie insertion using the cookie insert command in
sticky cookie configuration mode, the show sticky database static
http-cookie command does not display the hash key.
Table 5-12 describes the fields in the show sticky database command output.
Table 5-12 Field Descriptions for the show sticky database Command
Output
Field Description
Sticky Group Name of the sticky group.
Type Type of sticky group (for example, HTTP-HEADER).
Timeout Timeout (in minutes) for the entry in the sticky table.
Timeout- Indication whether the timeout activeconns command is
Activeconns enabled or disabled. When enabled, this command times out
sticky connections even when active connections exist.
Possible values are TRUE (enabled) or FALSE (disabled).
Sticky-Entry Hashed value of the sticky entry in the database. For IP
stickiness, displays the source or the destination address in
dotted decimal notation.
Rserver-instance Name and, optionally, port of a real server associated with
the sticky group (for example, rs1:81). If no port is
configured for the real server in the server farm, the port
displays as 0 (for example, rs1:0).
Time-To-Expire Time (in seconds) remaining for the sticky timeout. For
sticky entries that have no expiration, the value is never.
Static sticky entries always have a value of never.
Flags For future use.
Sticky Replicate Indication whether the ACE replicates sticky entries to the
peer ACE in a redundancy configuration.
The text argument indicates the cookie or URL text for which you want to
calculate the hash value. Enter the cookie or URL value as an unquoted text string
with no spaces and with a maximum of 1024 alphanumeric characters. If you want
to include spaces in the text string, enclose the text string in quotation marks ( ).
For example, to generate the hash value for the cookie value 1.1.1.10, enter the
following command:
host1/Admin# show sticky hash 1.1.1.10
Hash: 0x8a0937592c500bfb - 9946542108159511547
Now you can display the sticky database for a particular sticky group and match
the generated hash with the sticky entry (hash) in the sticky database.
For example, to display the sticky database for the group STICKY_GROUP1,
enter the following command:
host1//Admin# show sticky database group STICKY_GROUP1
sticky group : STICKY_GROUP1
type : HTTP-COOKIE
timeout : 1440 timeout-activeconns : FALSE
sticky-entry rserver-instance time-to-expire flags
--------------------+----------------+----------------+-------+
9946542108159511547 SERVER1:80 86390 -
The internal_id argument indicates the internal identifier of a sticky entry in the
sticky database.
The following example shows how to use the two above-mentioned commands to
display all the connections associated with a particular sticky entry.
switch/Admin# show sticky database static detail | i internal
internal entry-id: 0x200006
internal entry-id: 0x200007
After you have obtained the internal sticky id, use the show conn sticky command
to display all the connections linked to that sticky entry as follows:
switch/Admin# show conn sticky 0x200006
-------+--+---+-----+----+-----------------+-----------------+------+
switch/Admin#
Table 5-13 describes the fields in the show stats sticky command output.
Table 5-13 Field Descriptions for the show stats sticky Command Output
Field Description
Total sticky Total number of older sticky entries in the sticky database
entries reused that the ACE needed to clear because the database was full
prior to expiry and new sticky connections were received, even though the
entries had not expired.
Total active Total number of entries in the sticky database that currently
sticky entries have flows mapped to them.
Total active Total number of entries in the sticky database that currently
reverse sticky have reverse sticky flows mapped to them.
entries
Total active Total number of sticky connections that are currently active.
sticky conns
Total static sticky Total number of configured static entries that are in the
entries sticky database.
Total sticky Total number of entries in the sticky database from the
entries from global pool.
global pool
Total insertion Total number of sticky cookie insertion failures that resulted
failures due to from insufficient resources.
lack of resources
For example, to clear all sticky statistics for the Admin context, enter:
host1/Admin# clear stats sticky
Note If you have redundancy configured, you need to explicitly clear sticky statistics
on both the active and the standby ACEs. Clearing statistics on the active module
only leaves the standby modules statistics at the old values.
Note This command does not clear static sticky database entries. To clear static sticky
database entries, use the no form of the static command.
For example, to clear all dynamic sticky database entries for the sticky group
named GROUP1, enter:
host1/Admin# clear sticky database GROUP1
context Admin
member RC1
rserver SERVER1
address 192.168.12.15
probe PROBE1
inservice
rserver SERVER2
address 192.168.12.16
probe PROBE2
inservice
serverfarm SFARM1
rserver SERVER1
inservice
rserver SERVER2
inservice
context Admin
member RC1
Where to Go Next
If you want to configure firewall load balancing (FWLB), see Chapter 7,
Configuring Firewall Load Balancing.